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- The MAILING DATE of this communication appears on the cover sheet with the correspondence address — 
Period for Reply 



A SHORTENED STATUTORY PERIOD FOR REPLY IS SET TO EXPIRE 3 MONTH(S) OR THIRTY (30) DAYS, 
WHICHEVER IS LONGER, FROM THE MAILING DATE OF THIS COMMUNICATION. 

- Extensions of time may be available under the provisions of 37 CFR 1 .136(a). In no event, however, may a reply be timely filed 
after SIX (6) MONTHS from the mailing date of this communication. 

- If NO period for reply is specified above, the maximum statutory period will apply and will expire SIX (6) MONTHS from the mailing date of this communication. 

- Failure to reply within the set or extended period for reply will, by statute, cause the application to become ABANDONED (35 U.S.C. § 133). 
Any reply received by the Office later than three months after the mailing date of this communication, even if timely filed, may reduce any 
earned patent term adjustment. See 37 CFR 1 .704(b). 

Status 

1 )KI Responsive to communication(s) filed on 24 June 2010 . 
2a )^ This action is FINAL. 2b)D This action is non-final. 

3) D Since this application is in condition for allowance except for formal matters, prosecution as to the merits is 

closed in accordance with the practice under Ex parte Quayle, 1935 CD. 11, 453 O.G. 213. 

Disposition of Claims 

4) ^ Claim(s) 15-28 is/are pending in the application. 

4a) Of the above claim(s) is/are withdrawn from consideration. 

5) D Claim(s) is/are allowed. 

6) |EI Claim(s) 15-28 is/are rejected. 

7) 0 Claim(s) is/are objected to. 

8) D Claim(s) are subject to restriction and/or election requirement. 

Application Papers 

9) Q The specification is objected to by the Examiner. 

10) ^ The drawing(s) filed on 19 May 2006 is/are: a)^ accepted or b)D objected to by the Examiner. 

Applicant may not request that any objection to the drawing(s) be held in abeyance. See 37 CFR 1.85(a). 
Replacement drawing sheet(s) including the correction is required if the drawing(s) is objected to. See 37 CFR 1.121(d). 

1 1) D The oath or declaration is objected to by the Examiner. Note the attached Office Action or form PTO-152. 

Priority under 35 U.S.C. § 119 

12) ^ Acknowledgment is made of a claim for foreign priority under 35 U.S.C. § 119(a)-(d) or (f). 
a)E| All b)D Some * c)D None of: 

1 Certified copies of the priority documents have been received. 

20 Certified copies of the priority documents have been received in Application No. . 

3.Q Copies of the certified copies of the priority documents have been received in this National Stage 
application from the International Bureau (PCT Rule 17.2(a)). 
* See the attached detailed Office action for a list of the certified copies not received. 



Attach ment(s) 

1) ^ Notice of References Cited (PTO-892) 4) □ Interview Summary (PTO-41 3) 
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Paper No(s)/Mail Date . 6) □ Other: . 
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DETAILED ACTION 

Response to Amendment 
Claims 1-14 are cancelled. Applicant's arguments/amendments with respect to pending 
claims 15-28 filed 6/24/2010 have been fully considered but are moot in view of new grounds 
rejection. The Examiner would like to point out that this action is made final (See MPEP 
706.07a). 

Information Disclosure Statement 

Although the information disclosure statement (IDS) submitted on 5/22/2009 was filed 
after the mailing date of the non-final office action on 4/1/2009 was in compliance with the 
provisions of 37 CFR 1.97, Examiner would like to note that Applicants also filed an NPL 
document entitled "Decision of a Patent Grant" that was not cited in the IDS and thus not 
considered. If Applicants would like for that NPL document to be considered, Applicants are 
asked to include it in an IDS. 

Examiner requests that Applicants either submit the corresponding IDS for this NPL 
document or make a statement if Applicants believe that it is not necessary for the NPL 
document to be listed in an IDS to be considered. 

Claim Rejections - 35 USC §103 

I. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
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having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 

II. Claims 15-28 are rejected under 35 U.S.C. 103(a) as being unpatentable over Talpade et 
al, US Pub. No. 2004/0148520, and further in view of Sharp et al., US Pub. No. 2003/01 10394 
and Sonnenberg, US Patent No. 7,076,650. 
As per claims 15, 21, and 25: 

Talpade et al. substantially teach a system/method/computer readable recording medium 
for protecting a communication device against a denial-of-service attack, comprising: a 
monitoring device provided on a local area network including the communication device, the 
monitoring device being configured to monitor a packet transmitted to the communication device 
via an internet-service-provider network (par. 17, lines 1-19 and par. 20); and a restricting device 
provided on the internet-service-provider network, the restricting device being configured to 
restrict a packet to the local area network (par. 17, lines 23-37), wherein the monitoring device 
includes an attack detecting unit configured to detect an attack by the packet on the 
communication device (par. 17, lines 1-12), and a protection-request-information transmitting 
unit configured to transmit protection request information indicating a request for protection 
against the attack (par. 17, lines 10-19 and par. 22); and the restricting device includes a packet 
restricting unit configured to restrict a packet transmitted to the communication device via the 
internet-service-provider network based on the protection request information (par. 17, lines 23- 
37 and par. 24). Furthermore, Talpade et al. teach that all traffic determined to be non-DDOS 
traffic is routed back onto the ISP network (par. 33). 

Not explicitly disclosed is the protection-request-information transmitting unit being 
configured to update the protection request information to remove packets if not included in the 
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attack from restriction based on a report of received packets transmitted from the restricting 
device. However, Sharp et al. teach packets may be held if a threshold is reached so that the 
network bandwidth is not negatively effected, where once the threshold has been lowered a 
determination is made as to whether IP addresses on the choke list are still active (par. 47-48 and 
par. 50). Sharp et al. further teach that packets from inactive IP addresses are not a part of the 
attack anymore so the IP address on the choke list is removed from the list so those packets may 
pass (par. 52). Finally, Sharp et al. mention that once the thresholds have been reduced, packets 
that are decided based on probability to be 'good' packets may be allowed into the system (par. 
85-87). Therefore, it would have been obvious to a person in the art at the time the invention 
was made to modify the method disclosed in Talpade et al. to remove the restrictions from 
packets that were determined to no longer be a part of the attack and to allow the 'good' packets 
into the system. This modification would have been obvious because a person having ordinary 
skill in the art, at the time the invention was made, would have been motivated to do so since 
Sharp et al. suggest that constantly updating the choke list by removing the restrictions prevents 
attackers from continuing to change IP addresses if 'dead' IP addresses are not removed 
frequently and that determining based on probability which packets were good packets allows for 
those packets to be sent into the system in par. 52 and par. 85-87. 

Also not explicitly disclosed is wherein the protection request information includes a 
certificate authenticating the monitoring device. However, Sonnenberg teaches that a firewall 
and other nodes which assist with packet scanning perform mutual authentication using 
certificates in order to establish trust amongst these monitoring devices (col. 8, lines 55-63). 
Therefore, it would have been obvious to a person in the art at the time the invention was made 
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to modify the method disclosed in Talpade et al. to include support for certificates which may be 
used in authenticating monitoring devices. This modification would have been obvious because 
a person having ordinary skill in the art, at the time the invention was made, would have been 
motivated to do so since Sonnenberg suggests that it's important to establish a level of trust 
between the monitoring node and other nodes and that this trust may be established through an 
authentication procedure employing certificates in col. 8, lines 55-63. 
As per claims 16, 22, and 26: 

Talpade et al, Sharp et al., and Sonnenberg substantially teach the 
system/method/computer readable recording medium according to claims 15, 21, and 25. 
Furthermore, Talpade et al. teach wherein the monitoring device further includes a signature 
generating unit configured to generate a signature indicating a feature of a packet that attacks the 
communication device, the protection-request-information transmitting unit transmits the 
protection request information including the signature to the restricting device, and the packet 
restricting unit restricts a packet corresponding to the signature (par. 26). 
As per claims 17, 23, and 27: 

Talpade et al, Sharp et al., and Sonnenberg substantially teach the 
system/method/computer readable recording medium according to claims 16, 22, and 26. 
Furthermore, Talpade et al. teach wherein the restricting device further includes a signature 
determining unit configured to determine whether the protection request information including 
the signature is appropriate, and the packet restricting unit restricts a packet corresponding to a 
signature that is determined to be appropriate, and does not restrict a packet corresponding to a 
signature that is determined to be inappropriate (par. 20). Not explicitly disclosed is where the 
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signature is based on the certificate. However, Sonnenberg teaches the use of certificates in an 
authentication procedure, where it is extremely well known for certificates to incorporate 
features (such as a public key) to enable the use of determining if a signature is authentic (col. 
10, lines 29-49). Therefore, it would have been obvious to a person in the art at the time the 
invention was made to modify the method disclosed in Talpade et al. to determine if the 
protection request which contains a signature is appropriate based on the certificate. This 
modification would have been obvious because a person having ordinary skill in the art, at the 
time the invention was made, would have been motivated to do so since Sonnenberg suggests 
that it's important to establish a level of trust between the monitoring node and other nodes and 
that this trust may be established through an authentication procedure employing certificates in 
col. 8, lines 55-63. 
As per claims 18, 24, and 28: 

Talpade et al., Sharp et al., and Sonnenberg substantially teach the 
system/method/computer readable recording medium according to claims 16, 22, and 26. 
Furthermore, Talpade et al. teach wherein the restricting device further includes a report 
generating unit configured to generate a report including a feature and an amount of packets 
corresponding to the signature, and a report transmitting unit configured to transmit the report to 
the monitoring device (par. 20 and par. 22), the signature generating unit generates a new 
signature based on the report, the protection-request-information transmitting unit transmits the 
protection request information including the new signature to the restricting device (par. 26), and 
the packet restricting unit restricts a packet corresponding to the new signature (par. 26 and par. 
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34). 

As per claim 19: 

Talpade et al, Sharp et al, and Sonnenberg substantially teach the system according to 
claim 18. Furthermore, Talpade et al. teach wherein the restricting device further includes a 
forwarding unit configured to forward the protection request information to other restricting 
devices provided on the internet-service-provider network (par. 27), the forwarding unit being 
configured to determine whether to forward the protection request information based on the 
report generated by the report generating unit. 
As per claim 20: 

Talpade et al, Sharp et al., and Sonnenberg substantially teach the system according to 
claim 17. Furthermore, Talpade et al. teach wherein the restricting device further includes a 
determination-result transmitting unit configured to transmit a determination result of the 
signature determining unit to the monitoring device, the signature generating unit of the 
monitoring device generating a new signature indicating the feature of the packet that attacks the 
communication device when the determination result indicates that the signature is inappropriate 
(par. 34). 
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^References Cited, Not Used 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

1. US Pub. No. 2004/0250124 

2. US Patent No. 6301668 

3. US Pub. No. 2002/0087885 

4. US Pub. No. 2003/0135762 

5. US Pub. No. 2003/0145226 

6. US Patent No. 6,609,205 

7. US Pub. No. 2004/0054925 

8. US Pub. No. 2004/0128550 

9. US Pub. No. 2004/0172557 

10. US Pub. No. 2004/0199793 

The above references have been cited because they arc relevant due to the manner in which the 
invention has been claimed. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 
the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 .136(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 
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Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Nadia Khoshnoodi whose telephone number is (571) 272-3825. 
The examiner can normally be reached on M-F: 8:00-4:30. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

/Nadia Khoshnoodi/ 
Examiner, Art Unit 2437 
8/27/2010 
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/Emmanuel L. Moise/ 

Supervisory Patent Examiner, Art Unit 2437 



